* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download CHAP11 Cryptography
Survey
Document related concepts
List of important publications in mathematics wikipedia , lookup
Georg Cantor's first set theory article wikipedia , lookup
Mathematical proof wikipedia , lookup
Location arithmetic wikipedia , lookup
Collatz conjecture wikipedia , lookup
Wiles's proof of Fermat's Last Theorem wikipedia , lookup
Fermat's Last Theorem wikipedia , lookup
Elementary mathematics wikipedia , lookup
Fundamental theorem of algebra wikipedia , lookup
List of prime numbers wikipedia , lookup
Transcript
11. INTEGERS MOD m AND PUBLIC KEY CRYPTOGRAPHY § 11.1. Days of the Week When we do calculations with days of the week we use a system that is called the system of integers modulo 7, or ℤ7 for short. This is a system in which we throw away multiples of 7 (whole weeks) and only keep remainders after division by 7. Today is Thursday. What day of the week will it be in 8 days time? Clearly it will be a Friday. We do not count forward 8 days. We simply recognise that in 7 days time it will still be a Thursday, so 8 days will bring us to a Friday. In 72 days time it will be a Saturday. We can ignore 70 of the 72 days because they represent so many whole weeks. We simply count 2 days forward from today. What day of the week will it be in 1000 days time? Dividing 1000 by 7 we get a quotient of 142 with a remainder of 6. The quotient is unimportant, only the remainder. So if we were doing the calculation in our head, and we were feeling particularly lazy, we might say something like this. “Throw away 700 to get 300. Now discard 280, leaving 20. Take off 14 and this leaves us with 6. We simply subtract suitable multiples of 7 repeatedly until we get an answer in the range 0 to 6.” Having discovered that it will be the same day of the week in 6 days time as it will be in 1000, what then? Would we count forward 6 days from today? Not if we are particularly lazy. We would realise that in 6 days time it will be the same day of week as it was yesterday. If today is Thursday our answer is Wednesday. In the system of days of the week 6 days forward is the same as one day back. The mathematical system that underlies all this is the system ℤ7. It consists of 7 numbers 0, 1, 2, 3, 4, 5 and 6. These numbers may look like integers but they are not. For if we add the integers 5 and 4 we get 9, but if we add the numbers 5 and 4 in this ℤ7 system we get 2. Five days from now plus a further 4 days brings us to the same day of the week as it will be in 2 days time. You could take the view that 5 + 4 is 9 but in the system ℤ7 the symbol 9 is just another name for 2 since they differ by 7. The important thing, however, is that we quote our final answer using the standard names for these numbers, that is one of the symbols 0, 1, 2, 3, 4, 5 or 6. To avoid confusing calculations in the mod 7 system with those for ordinary integers we often add a note to remind us that our result is valid for the mod 7 system. So we might write 5 + 4 ≡ 2(mod 7). However if we’re doing a lot of calculations in ℤ7 we can simply announce that we’re working in that system and simply write 5 + 4 = 2. 209 The system ℤ7 is. in many ways. a miniature version of the system of integers. We can add and multiply any two numbers in the system and our answer will be one of the 7 numbers. § 11.2. The system ℤ7 We can describe the workings of the system ℤ7 by setting out its addition and multiplication tables. + 0 1 2 3 4 5 6 0 0 1 2 3 4 5 6 1 1 2 3 4 5 6 0 2 2 3 4 5 6 0 1 3 3 4 5 6 0 1 2 4 4 5 6 0 1 2 3 5 5 6 0 1 2 3 4 6 6 0 1 2 3 4 5 × 0 1 2 3 4 5 6 0 0 0 0 0 0 0 0 1 0 1 2 3 4 5 6 2 0 2 4 6 1 3 5 3 0 3 6 2 5 1 4 4 0 4 1 5 2 6 3 5 0 5 3 1 6 4 2 6 0 6 5 4 3 2 1 Examine these tables and look for patterns. Note that the entries in the body of each table are all in the set {0, 1, 2, 3, 4, 5, 6}. We describe this by saying that: ℤ7 is closed under addition and multiplication. Secondly both tables are symmetric about the (top-left to bottom-right) diagonal. We describe this by saying that addition and multiplication in ℤ7 are commutative. That is: For all numbers x and y in the system, x + y = y + x and xy = yx. Note that each table has a row that’s identical with the numbers above the table. This reflects the fact that there are numbers in the system that have no effect when they’re added to or multiplied by any number. These numbers are called the “identities”. The additive identity is the number 0 and the multiplicative identity is the number 1. The special properties of these numbers are described by the statements: For any x in the system 0 + x = x = x + 0 and 1x = x = x1. 210 Something that you wouldn't notice just by casual observation, are the associative laws: For any x, y and z in the system x + (y + z) = (x + y) + z and x(yz) = (xy)z. In the addition table every one of the 7 numbers appears in each row and column. This allows subtraction to be possible. What is 2 − 5? It should mean “that number which when added to 5 gives 2”. We look along the 5 row until we reach a 2. The fact that every number appears in every row and column guarantees that we'll find a 2. There it is in the “4” column. So 5 + 4 = 2 and hence 2 − 5 = 4. In particular the number 0 appears in each row and column. That is: For every number x there is a number y such that x + y = 0 = y + x. We denote this additive inverse of x by y = −x. The following table gives the additive inverses of all the elements of ℤ7. 0 0 x −x 1 6 2 5 3 4 4 3 5 2 6 1 When it comes to multiplication things are just a little different. The first row and column consist entirely of 0's. But if we focus our attention on the non-zero part we get every non-zero number appearing exactly once in each row and column. This allows us to divide in this system, provided we don't want to divide by zero. What is 3/5 in ℤ7? In other words, what number when multiplied by 5 gives 3? We look along the “5” row until we find a 3. We are guaranteed to find a 3 because every number occurs exactly one in the 5 row. There it is, in the “2” column. So 5.2 = 3 and hence 3/5 = 2. In particular the number 1 appears in each row and column (apart from the 0 one). That is: For every non-zero number x there is a number y such that xy = 1 = yx. We denote this multiplicative inverse of x by y = x−1. The following table gives the multiplicative inverses of all the non-zero elements of ℤ7. x x−1 1 1 2 4 3 5 4 2 5 3 6 6 The advantage of having only a finite number of numbers in our mini number system, ℤ7, is that we can describe any function from ℤ7 to ℤ7 by means of a table of values. Above we have the table for f(x) = x−1. What about some other powers? x x2 x3 x4 x5 1 1 1 1 1 2 4 1 2 4 3 2 6 4 5 211 4 2 1 4 2 5 4 6 2 3 6 1 6 1 6 Notice that we don’t need a calculator to complete this table. We simply multiply each row by the first to get the next. So there is no need to compute 55, for example. We simply multiply 54 by 5, that is, 2 times 5 which, mod 7, is 3. Now something rather remarkable happens when we compute the next power. x x6 1 1 2 1 3 1 4 1 5 1 6 1 So x6 ≡ 1 (mod 7) for all non-zero x ∈ ℤ7. You may wonder why we would ever want to raise days of the week to powers. The answer is that we wouldn’t. Doing calculations with the calendar is just one of the more elementary applications of these finite mathematical systems. A much more important application is to the science of cryptography, the science of secret codes. Transmitting information securely is no longer only of interest to secret agents and the military. It’s of vital interest to business. But of course 7 is much too small a number for these purposes. What we have done for 7 can be done for any modulus. § 11.3. The system ℤm For any positive integer, m, the system of integers mod m is the set {0, 1, 2, ... , m−1} with addition and multiplication carried out modulo m, that is the result of adding or multiplying two of these elements is adjusted to give one of these m numbers by subtracting a suitable multiple of m. More formally we add or multiply in the usual way but then take the remainder on dividing by m. The smallest of these is ℤ1 but as this contains just one number 0 with 0 + 0 = 0 and 0.0 = 0 it is not of much use. The smallest useful example is ℤ2, the integers modulo 2. Here we have just two numbers 0 and 1. They combine just as they normally do in integer arithmetic with one exception: 1 + 1 = 0. Here are the full addition and multiplication tables for ℤ2. + 0 1 0 1 × 0 1 0 0 0 0 1 0 0 1 1 1 Incidentally, notice that these tables have the same patterns as the addition and multiplication tables for the entities “odd” and “even”. If you consider 0 as representing “even” and 1 representing “odd” then 1 + 1 = 0 is simply recording the fact that “odd plus odd is even”. No wonder ℤ2 is sometimes called “dunces arithmetic”. Apart from having very little to learn by way of one's tables, a dunce could get 50% of the answers in an arithmetic test correct just by guessing! But surely ℤ2 is far too simple a mathematical system to be of any practical use. For cryptography it is, but there’s another sort of code – the error-correcting code. Here the goal is not to conceal the message but to compensate for a small number of errors that can creep in when a message is transmitted electronically. Here ℤ2 is admirably suited because every message transmitted electronically is just a long string of 0's and 1's. tables. Let's try ℤ8, the system of integers modulo 8. Here are its addition and multiplication 212 + 0 1 2 3 4 5 6 7 0 0 1 2 3 4 5 6 7 1 1 2 3 4 5 6 7 0 2 2 3 4 5 6 7 0 1 3 3 4 5 6 7 0 1 2 4 4 5 5 7 0 1 2 3 5 5 5 7 0 1 2 3 4 6 6 7 0 1 2 3 4 5 × 0 1 2 3 4 5 6 7 7 7 0 1 2 3 4 5 6 0 0 0 0 0 0 0 0 0 1 0 1 2 3 4 5 6 7 2 0 2 4 6 0 2 4 6 3 0 3 6 1 4 7 2 5 4 0 4 0 4 0 4 0 4 5 0 5 2 7 4 1 6 3 6 0 6 4 2 0 6 4 2 7 0 7 6 5 4 3 2 1 Notice that the above addition table is very similar to the one for ℤ7. Each row is identical to the one above but moved one place to the left, with the number that falls off the left-hand edge “wrapping around” to the right-hand end. But with multiplication the pattern is very different. With ℤ7 the non-zero entries were uniformly distributed with each one appearing in every row and column in the non-zero part of the table. But with ℤ8 2's, 4's and 6's occur more frequently than 1's, 3's, 5's and 7's and 0's creep into the non-zero part of the table (for example 2 × 4 = 0 even though neither 2 nor 4 is zero). The system ℤ7 behaves much more like the arithmetic we're used to than ℤ8. In ℤ7 the cancellation law: If xy = 0 then x = 0 or y = 0 is valid. In ℤ8 it is not. The lack of the cancellation law in ℤ8 turns our normal notions of algebra on their head. Take the solution of quadratic equations. A quadratic can’t have more than two solutions, right? Wrong! At least for ℤ8 it’s wrong. Take the quadratic equation x2 − 1 = 0. Solving, we get (x − 1)(x + 1) = 0. So far so good, even in ℤ8. But as soon as we try to say “hence x − 1 = 0 or x + 1 = 0” we’ve transgressed in ℤ8 because this last step appeals to the cancellation law which is just not true in ℤ7. In fact the quadratic x2 − 1 = 0 has as many as four solutions in ℤ8 as is shown by the following table of squares. x x2 0 0 1 1 2 4 3 1 4 0 5 1 6 4 7 1 So why is the arithmetic and algebra of ℤ8 so different to that of ℤ7? The difference is simply due to the fact that 7 is prime and 8 is not. The Cancellation Law states that: If xy = 0 then x = 0 or y = 0. An equivalent statement is: If a ≠ 0 and ax = ay then x = y. [Remember that ax = ay is equivalent to a(x − y) = 0.] 213 While the Cancellation Law holds in ordinary arithmetic it fails to hold in many algebraic systems. For example it doesn’t hold for matrices. Example 1: The Cancellation Law doesn’t hold in ℤ100 since 10.10 = 0 in ℤ100 while 10 ≠ 0 in that system. Theorem 1: If p > 1, the Cancellation Law holds in ℤp if and only if p is prime. Proof: Suppose the modulus p is not prime. Then p = ab for some a, b with 0 < a, b < p. Then in ℤp, ab = 0 while a ≠ 0 and b ≠ 0 and so the cancellation law fails. In other words if the cancellation law holds in ℤp then p must be prime. Now suppose that p is prime and suppose that in ℤp, ab = 0 where a ≠ 0. Hence in ℤ a is not divisible by p. Since p is prime this means that a and p are coprime. Hence 1 = ah + pk for some integers h, k. Multiplying both sides by b we get b = (ab)h + p(bk). In ℤp this gives b = 0. So if ab = 0 in ℤp either a = 0 or b = 0. If we’re using the same modulus, m, in a piece of work we simply announce at the beginning that we are working in ℤm. But if we need to change the modulus we use a different notation that constantly reminds us of which modulus we are using at any given time. We say that a is congruent to b modulo m if a and b have the same remainders on division by m. We write this as a ≡ b(mod m). In ℤm this simply means that a = b. In ℤ it means that m divides a − b or that a = b + mq for some integer q. Example 2: 27 ≡ 13(mod 7) since 7 divides 27 − 13 = 14, or equivalently, 27 = 13 + 7.2. In ℤ7, 27 = 13. They are just alternative ways of writing 6. § 11.4. Inverses in ℤm For many applications it is important to be able to find an inverse in ℤm where one exists. The elements that have inverses are called “units”. A unit of ℤm is any element of ℤm that has an inverse under multiplication. Theorem 2: Any product of units is a unit. Proof: It is sufficient to prove this for a product of two units. Since (b−1a−1)(ab) = 1 it is clear that ab has an inverse. The special property of units is that it is always possible to cancel them in equations. Theorem 3: If a is a unit of ℤm and ax = ay then x = y. Proof: If ax = ay and a is a unit then a−1(ax) = a−1(ay) and so x = y. Theorem 4: a ∈ ℤm is a unit if and only if GCD(a, m) = 1. Proof: Suppose that a is a unit of ℤm. Then for some b ∈ ℤm, ab = 1. In ℤ this becomes ab = 1 + mq for some q ∈ ℤ. Let d = GCD(a, m). Then, since d divides both a and m it follows that d divides 1. 214 Suppose now that GCD(a, m) = 1. Then 1 = ah + mk for some h, k ∈ ℤ. In ℤm this becomes 1 = ah, so a has an inverse, namely h. We can find inverses modulo m by working out the greatest common divisor by the Euclidean algorithm and then working backwards to express 1 in the form ab + mc. Example 3: Find the inverse of 35 modulo 143. Solution: 4 11 1 35) 143 3) 35 2) 3 140 33 2 3 2 1 So 1 = 3 − 2 = 3 − (35 − 3.11) = 3.12 − 35 = (143 − 35.4).12 − 35 = 143.12 − 35.49. Hence 35(−49) ≡ 1(mod 143). So the inverse of 35 modulo 143 is −49 = 94. Theorem 5: Let a, m be positive integers and let {an}, {qn}, {bn} be sequences of integers defined recursively for n ≥ 0 (until an = 1) by: a0 = m, b0 =0, a1 = a, b1 = 1 and, for n ≥ 2: qn = INT(an−2/an), an = an−2 − an−1qn−1, bn = bn−2 − bn−1qn−1 for n ≥ 2. Then for all n, abn ≡ an(mod m). Proof: For n = 0 this merely says that 0 ≡ m(mod m), which is certainly true. For n = 1 this says that a ≡ a(mod m), which is also true. Suppose now that n ≥ 2 and suppose that abn ≡ an(mod m). Then abn+1 = a(bn−1 − bnqn) ≡ abn−1 − abnqn ≡ an−1 − anqn(mod m) ≡ an+1(mod m). Corollary: If a, m are coprime, ultimately an = 1 and so bn ≡ a−1(mod m). So by computing the sequence {bn} in parallel with the {an} we can find the inverse of a modulo m. We set our working in three columns. The first column contains the successive values of q. The second column contains the values of an and the third column contains the values of bn. To begin with we set down the following values in the second and third columns. The first column remains blank at this stage. qn an m a bn 0 1 These rows correspond to n = 0 and n = 1. We compute each of the remaining rows from the two rows above it as follows: 215 qn−1 INT(an−2 /an−1) an−2 an−1 an−2 − an−1qn−1 bn−2 bn−1 bn−2 − bn−1qn−1 We continue until we obtain a “1” in the middle column. The required inverse will now appear in the third column. The table will have the form: qn … qn−1 INT(an−2 /an−1) … an m a … an−2 an−1 an−2 − an−1qn−1 … 1 bn 0 1 … bn−2 bn−1 bn−2 − bn−1qn−1 … inverse Each item in the first column is obtained by finding the quotient on dividing the two most recent two entries in the middle column and the quotient goes in the middle column. ∆ quotient remainder For the third column we do the remainder calculation on the two most recent entries in the third column, but using the same quotient as before. q A a A − a.q B b B − b.q Example 4: Find the inverse of 35 mod 143. Solution: We begin with: qn an 143 35 bn 0 1 For the next row we find INT(143/35) = 4, 143 − 35.4 = 3and 0 − 1.4 = −4. qn 4 an 143 35 3 The table is completed in the same way: 216 bn 0 1 −4 qn an 143 35 3 2 1 4 11 1 bn 0 1 −4 45 −49 So the inverse of 35 modulo 143 is − 49 = 94. § 11.5. Powers in ℤm Consider the geometric progression 1, x, x2, x3, .... for some x ∈ ℤm. Since ℤm is finite we must get repetitions. And once one power is equal to an earlier one the same block of numbers simply repeats. For example in ℤ10, the powers of 3 are 1, 3, 9, 7, 1, 3, 9, 7, .... The powers of 2 are 1, 2, 4, 8, 6, 2, 4, 8, 6, ...... This simple fact enables us to answer questions in our head that would appear to require enormous amounts of computation. Example 5: What is the final digit in71995 ? Solution: There’s no need to compute the complete value of 71995. In any case to do so would require more than a normal calculator. But computing the first few powers of 7 modulo 10, until we get a repetition, we have: n 7n 0 1 1 7 2 9 3 3 4 1 Since in ℤ10, 74 = 1 then 7 to any multiple of 4 will give 1 in ℤ10. So we need only find the remainder on dividing 1995 by 4. Now 1995 = 498.4 + 3, so 71995 = (74)498.73 = 73 = 3 in ℤ10. Hence 71995 ends in a 3. The following Theorem is known as Fermat's “Little” Theorem. This is to distinguish it from his celebrated “Last Theorem”. Fermat's Last Theorem states that for all integers n ≥ 3 there are no solutions to the equation xn + yn = zn for non-zero integers x, y and z. We all know that 32 + 42 = 52 and 52 + 122 = 132. There infinitely many such integer solutions to the equation x2 + y2 = z2. But when it comes to n = 3, or any larger value of n, the situation is quite different. There are, of course, trivial solutions such as 0n + 1n = 1n but no non-trivial solutions. It was proved for n = 3 a long time ago, and over the years for larger and larger values of n. But it wasn’t until the late 20th century that it was proved that there are no non-trivial solutions for all n. Fermat claimed to have proved this theorem 350 years ago in a note in one of his books but claimed “the margin is too small to contain it”. There has been much controversy as to whether he really did have a complete proof, but as it took over 350 years for such a proof to be found, and since this proof required whole tracts of mathematics that were not developed until the late 20th century, the consensus seems to be that he only thought he had a proof. 217 His “Little” Theorem, on the other hand, is one that he is known to have proved. There are now numerous proofs of this theorem – here are three of them. Theorem 6 (FERMAT): If p is prime and a is a not a multiple of p then ap−1 ≡ 1(mod p). Proof: #1: We prove by induction on a that for all a ≥ 1, ap ≡ a(mod p). If a = 1 the result is clearly true so suppose now that it is true for a. Then by the Binomial Theorem, (a + 1)p = ap + pap−1 + ½p(p − 1)ap−2 + ... + 1. Since p is prime, all the binomial coefficients, except the first and the last, are multiples of p so, modulo p: (a + 1)p ≡ ap + 1 ≡ a + 1 (mod p) by the induction hypothesis. Hence the result holds for a + 1. To get from ap = a to ap−1 = 1 we use the Cancellation Law. Proof #2: (For those who know a little group theory) Since p is prime the non-zero elements of ℤp form a group under multiplication. By Lagrange’s Theorem the order of each element of this group divides p − 1, the order of the group. Hence ap−1 = 1 for all non-zero a ∈ ℤp. Proof #3: Let N = (p − 1)! = 1.2.3 … (p −1). Clearly p doesn’t divide N and so in ℤp, N ≠ 0. In the remainder of the proof we interpret everything as elements of ℤp. Multiply each of the factors of N by a. Hence ap−1N = a.2a.3a. … .(p −1). By the cancellation law, no two of these factors are equal, so they must be all the non-zero elements in some order. Hence the right hand side of the above equation is N. So ap−1N = N and, since N ≠ 0, it follows by the Cancellation Law that ap−1 = 1. Example 6: p = 7 N = 1.2.3.4.5.6 Now modulo 7, {2, 4, 6, 8, 10, 12} = {2, 4, 1, 3, 5}. Both sets therefore have the same product, 26N = 2.4.6.1.3.5 = N ∴ 26 = 1 in ℤ7. Note that in this example N = 720 ≡ −1(mod 7). This holds for all primes p. Theorem 7: If p is prime then (p −1)! ≡ −1(mod p). Proof: Now (p −1)! = 1.2.3 … (p − 1). Each one of these factors has an inverse in ℤp and it will cancel its inverse, provided that inverse is a different element of ℤp. So N is the product of all those elements of ℤp that are equal to their own inverse. But if x = x−1 then x2 = 1 and so (x − 1)(x + 1) = 0. Since the cancellation law holds in ℤp (for prime p) we must have x = 1 or x = −1. The product of these is −1. § 11.6. Euler's ϕ-Function We define ϕ(n) to be the number of units of ℤm. In other words, it is the number of integers from 1 to m that are coprime with m. Example 7: ϕ(10) = 4 since the units of Z10 are 1, 3, 7 and 9. ϕ(21) = 12 since the units of ℤ21 are 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19 and 20. 218 Theorem 8: If p is prime and n ≥ 1, ϕ(pn) = pn−1(p − 1). Proof: Of the numbers from 1 to pn, the ones that are not coprime to pn are the multiples of p. There are pn−1 of these and so ϕ(pn) = pn − pn−1 = pn−1(p − 1). Corollary: ϕ(p) = p −1. Theorem 9: If p, q are distinct primes then ϕ(pmqn) = pm−1(p −1)qm−1(q −1). Proof: Of the numbers from 1 to pmqn the ones that are not coprime to pmqn are the multiples of p and the multiples of q. Now there are pm−1qn multiples of p in this range, and pmqn−1 multiples of q. But don’t forget that the pm−1qn−1 multiples of pq will get counted both times, and so by the Principle of Inclusion-Exclusion we have ϕ(pmqn) = pmqn − pm−1qn − pmqn−1 + pm−1qn−1 = pm−1(p −1)qm−1(q −1). Corollary: ϕ(pq) = (p − 1)(q −1). The general case is as follows. We omit the proof. Theorem 10: ϕ(p1n1 p2n2 … pknk) = p1n1−1(p1 − 1) p2n2−1(p2 − 1) … pknk−1(pk − 1). An alternative formulation of this theorem is as follows. If the distinct prime divisors N of N are p1, p2, …, pk then ϕ(N) = . (p1 − 1)...(pk − 1) Leonard Euler gave the following generalisation of Fermat's Little Theorem. Theorem 11 (EULER): If a is coprime with n then aϕ(n) ≡ 1 (mod n). Proof #1: This proof is adapted from Proof #3 of Fermat’s Little Theorem. Let N be the product of all the units of ℤn. Clearly N ≠ 0. Multiply each of the factors of N by a. Hence aϕ(n)N is the product of each of the units after being multiplied by a. By the cancellation law, no two of these factors are equal, so they must be all the units in some order. Hence aϕ(n)N = N. Now the product of any collection of units is a unit so N is a unit. By the Cancellation Law aϕ(n) = 1. Proof #2: However the simplest proof is by group theory. The elements of ℤn that are coprime with n are precisely the units. They form a group, often denoted by ℤn#, under multiplication. The order (size) of this group is ϕ(n). By Lagrange's Theorem the order of each element divides the order of the group and so if a is one of these units, aϕ(n) = 1 in ℤn. Example 8: ϕ(20) = ϕ(22.5) = 21(2 − 1)50(5 −1) = 2.4 = 8. ϕ(7000) = ϕ(23.53.7) = 22.52.4.6 = 2400. In computing powers modulo n, we can use Euler’s theorem to break down the power to a much smaller one. Example 9: Find 694803 modulo 7000. Solution: ϕ(7000) = 2400 so 692400 ≡ 1 and hence 219 694800 ≡ 1 so 694803 ≡ 693 ≡ 328509 ≡ 6509. If the modulus is large, even breaking down a power to a smaller one may still result in a large power, too large to compute with the computing device available. The trick here is to break the power up as a sum of powers of 2. The number to be raised is then squared repeatedly. But at each stage the answer is reduced modulo the modulus, so that the numbers involved in the calculation are never bigger than the square of the modulus. Example 10: Find 694900 modulo 7000. Solution: As above, 694800 ≡ 1(mod 7000) so 694900 ≡ 69100. 692 ≡ 4761 694 ≡ 47612 ≡ 22667121 ≡ 1121 698 ≡ 3641 6916 ≡ 5881 6932 ≡ 6161 6964 ≡ 3921 Now 100 = 64 + 32 + 4 so 69100 = 6964.6932.694 ≡ 3921.6161.1121 ≡ 24157281.1121 ≡ 281.1121 ≡ 315001 ≡1 Hence 695000 ≡ 1 § 11.7. The RSA Code: How it Works The need for privacy in sending messages from one person to another has greatly increased with the introduction of electronic communication. There are many systems that have been developed over the years, with varying degrees of security. Public-key cryptography refers to those systems where members of a large universe of users (the public) want to be able to send a message to any other user of the system. The system is operated by an operator who issues to each user certain encoding and decoding keys. Although messages will normally be alphanumeric they can be converted to sequences of large numbers by some straightforward conversion process. We’ll assume that a “message” is just one of these large numbers. The method described here is called the RSA code after the three people who devised it, Ron Rivest, Adi Shanir and Leonard Adleman in 1977. Actually it was devised earlier, in 1973, by Clifford Cocks working for the British Intelligence Agency GCHQ but it remained secret until 1997 when it was declassified. This mirrors the invention of the computer, which was assumed to be by the Americans until British classified documents were declassified many years later, showing that the British (a team led by Alan Clifford Cox in 2015 Turing) had got there first. 220 SETTING UP For each user the operator chooses two large prime numbers p, q and computes n = pq. This is the modulus for that user. In practice p, q would be very large primes with something like 100 digits each so n would have a couple of hundred digits. Then the operator computes, for each user, ϕ(n) = (p − 1)(q − 1). Secondly, for each user, the operator chooses an encoding number, e, that is coprime to ϕ(n). The numbers n and e for each user are made public, in some sort of directory, but the values of p, q and ϕ(n) for each user are kept completely secret. Traditionally, in describing public key systems, the sender of a message is known as Alice and the recipient is called Bob. Any third person who might intercept the message is known as Eve. In principle Eve could discover the values of p and q for any user by simply factorising their modulus. But in practice these numbers are so large that it’s computationally infeasible to do this. And unless the values of p and q could be found there would be no way of computing ϕ(n). Finally, for each user, the operator calculates the inverse of their encoding number modulo their modulus. This is a number d so that ed ≡ 1(mod n). These numbers, d, are the so-called decoding numbers. Each user has one and each user is informed only of their own decoding number. SENDING A MESSAGE Suppose Alice wants to send a message m to Bob. [Only messages that are coprime to Bob’s modulus n are possible so whatever method is used to convert symbols to numbers, the multiples of Bob’s primes p and q must be avoided. This is not difficult.] Alice looks up the directory for user Bob's encoding number e and modulus n and calculates me (mod n). RECEIVING A MESSAGE Bob takes the encoded message me and calculates (me)d (mod n). Example 11: In an RSA Public Key cryptographic system a certain user is given the modulus 95 and an encoding number of 65. The operator knows that 95 is the product of the two primes 5 and 19. Find the corresponding decoding number. Solution: ϕ(95) = ϕ(5.19) = 4.18 = 72. We now verify that 65 is coprime with 72. 1 9 3 65) 72 7) 65 2) 7 65 63 6 7 2 1 221 So 1 = 7 − 2.3 = 7 − (65 − 7.9)3 = 7.28 − 65.3 = (72 − 65)28 − 65.3 = 72.28 − 65.31 Modulo 72 this becomes 1 = −65.31 so the inverse of 65 is −31 = 41. corresponding decoding number. This is the Example 12: Alice: p1 = 5, q1 = 19, n1 = 95, ϕ(n1) = 72, e1 = 65, d1 = 41. N.B. 65.41 ≡ 2665 ≡ 1(mod 72) Bob: p2 = 7, q2 = 11, n2 = 77, ϕ(n2) = 60, e2 = 53, d2 = 17. N.B. 53.17 ≡ 901 ≡ 1(mod 60) OPERATOR KNOWS A p1 = 5 q1 = 15 n1 = 95 ϕ(n1) = 72 e1 = 65 d1 = 41 B p2 = 7 q2 = 11 n2 = 77 ϕ(n2) = 60 e2 = 53 d2 = 17 Eve KNOWS A n1 = 95 e1 = 65 B n2 = 77 e2 = 53 Alice KNOWS A n1 = 95 e1 = 65 d1 = 41 B n2 = 77 e2 = 53 Bob KNOWS A n1 = 95 e1 = 65 Suppose Alice wants to send the message m = 4 to Bob. She looks up her directory and finds e2 = 53 for Bob. She therefore calculates m′ as follows: m′ ≡ 453 (mod 77) 41 ≡ 4 42 ≡ 16 44 ≡ 256 ≡ 25 48 ≡ 625 ≡ 9 416 ≡ 81 ≡ 4 432 ≡ 16 Now 453 = 432+16+4+1 = 432.416.44.41 ≡ 16 . 4 . 25 . 4 ≡ 6400 ≡ 9 (mod 77) Hence m′ = 9 and this is what gets transmitted to Bob. Bob receives m′ = 9. He uses his own decoding number, d2 = 17 to calculate: m′′ ≡ 917 (mod 77) 91 ≡ 9 92 ≡ 81 ≡ 4 94 ≡ 16 98 ≡ 256 ≡ 25 916 ≡ 625 ≡ 9 So 917 ≡ 9.9 ≡ 81 ≡ 4 (mod 77). Thus m′′ = 4 = m. This is the original message. 222 B n2 = 77 e2 = 53 d2 = 17 § 11.8. The RSA Code: Why it Works Suppose m is the original message, n is the modulus of the recipient, e is the encoding number of recipient and d is the decoding number of recipient. Then m′ = me (mod n) m′′ = (m′)d = med (mod n). Now d was chosen so that ed ≡ 1 (mod ϕ(n)). So ed = k.ϕ(n) + 1. Thus m′′ ≡ med ≡ mkϕ(n)+1 (mod n) ≡ (mϕ(n))k.m (mod n) ≡ 1k.m (mod n) ≡ m (mod n). Hence the original message is recovered. § 11.9. The RSA Code: Is it Secure? Once ϕ(n) is known it’s relatively easy for anybody to compute another user’s decoding number and therefore read his electronic mail. The security of the code therefore lies in the difficulty of calculating ϕ(n). Of course the operator has no difficulty in computing ϕ(n) because the operator knows the primes p, q. The users know n = pq and so in principle all they have to do is factorise it. This is no real difficulty if n has only 10 digits but it is not possible, with current technology to factorise a typical 500 digit number. It is a very elementary programming exercise to write a factorisation program along the simple-minded lines of trying every possible factor. Even though there are much more sophisticated methods available, they are all just clever variations on this simple-minded approach. Whatever method is used, the number of steps involved grows exponentially with the number of digits. A 200 digit number (a product of two very large primes) has been factorised in recent years, but it took several months, using a large number of powerful computers working in parallel. Perhaps in another 20 years improvements in hardware and software might reduce this to 1 week of computing time but for some time the code is safe. And of course in 20 years time when it might be possible to factorise 400 digit numbers it will be possible to generate 1000 digit primes and so use a 2000 digit value of n. While ever it is much easier to generate a k digit prime than it is to factorise a 2k digit number this cryptosystem can always stay one step ahead of would-be crackers. The RSA algorithm is currently used whenever sensitive data, such as account numbers and passwords, have to be transmitted electronically. One weakness with the above system is that the operator knows everything. This is the current situation. The message is transmitted to the operator who then encodes it and sends the encrypted message to the recipient. A new protocol is E2EE – End to End Encryption. The message is encrypted in the user’s device and sent, via the operator, to the recipient where it is decrypted. Using a modified form of the above algorithm, the operator, or anyone who might intercept the transmission, is unable to decrypt the message. Hence if some government agency asks the operator to hand over a decrypted message they are, correctly, able to affirm that this is not possible. In 2016 such E2EE systems are starting to be implemented. However some governments are expected to resist these developments and may legislate against them. 223 § 11.10. Cracking the RSA Code As described above, the RSA code seems secure. But it doesn’t pay to be too complacent. For example it might have occurred to you that the system could be simplified by using the same modulus for all users. After all, if it can’t be factorised, why not? Example 13: OPERATOR KNOWS p = 37 q = 73 n = 2701 ϕ(n) = 2592 A B e1 = 125 e2 = 325 d1 = 1493 d2 = 973 Eve KNOWS Alice KNOWS Bob KNOWS n = 2701 A B e1 = 125 e2 = 15 n = 2701 A B e1 = 125 e2 = 15 d1 = 1493 n = 2701 A e1 = 125 B e2 = 325 d2 = 973 Eve doesn’t know ϕ(n). (We’ll assume that n is so large that she can’t factorise it.) But she does know that e1d1 ≡ 1(mod ϕ(n)) so that ϕ(n) divides 125.1493 − 1 = 186624. 186624 . This means that 186624 = kϕ(n), for some integer k, giving k = ϕ(n) 186624 186624 Now ϕ(n) < n but for large n will be close to n. So k > = 2701 ≈ 69.09, but it n will only be a little bigger. 186624 Try k = 70. This gives ϕ(n) = 70 ≈ 2666.057. This is not an integer. 186624 Try k = 71. This gives ϕ(n) = 71 ≈ 2628.507. This is not an integer. 186624 Try k = 72. This gives ϕ(n) = 72 = 2592. This is an integer and so is probably the correct value. To be completely sure one can use ϕ(n) to factorise n. In this example, if p, q are the factors of n we know that we know that: pq = 2701 and (p − 1)(q − 1) = ϕ(n) = 2592 Subtracting, we get p + q − 1 = 109, so p + q = 110. So p, q are the roots of a quadratic equation, and given the sum of the roots and the product of the roots the quadratic must be x2 − 110x + 2701. 110 ± 1102 − 4.2701 Solving, we get x = 2 110 ± 1296 = 2 110 ± 36 = 2 = 73, 37. These are the factors of 2701. Once Eve has discovered p and q for Bob she can work out his ϕ(n) and she can then work out his decoding number and so, if she intercepts any message to Bob, she can decode it. But this has come about only if the same modulus is used for every user. 224 § 11.11. Signature Verification Another problem with computer security is to be able to guarantee that a particular message has come from whoever it’s supposed to. If I send a message to your bank, masquerading as you, and request that your balance be transferred into a certain Swiss bank account, it would be comforting to know that your bank could tell that the request hadn’t come from you. Of course I’d need to have somehow obtained your account details and password, but that’s not impossible. Signature verification is an additional security measure. Signature verification uses the RSA system in reverse. If I want to send a message to you, in such a way that you could be sure that it has indeed come from me, I would encode it using my decoding number instead of your encoding number. When you receive it you decode it using my encoding number. If it comes out as a recognisable message then it must have come from me. If the original message is m, and my modulus is n and my decoding number is d then I calculate m ′ = md modulo n. When you receive m′ you calculate (m′)e. But (m′)e ≡ (md)e ≡ med ≡ m. But how would you know that m was the correct original message? With a short, cryptic you might not. But with a much longer message, the fact that it made sense when converted to alphanumeric characters would guarantee its validity. If someone else attempted to encode the message to send money from your account to some Swiss bank account, and used the wrong decoding number (remember that only I know my own decoding number) the output after decoding would be gibberish. Example 14: OPERATOR KNOWS A p1 = 5 q1 = 15 n1 = 95 ϕ(n1) = 72 e1 = 65 d1 = 41 B p2 = 7 q2 = 11 n2 = 77 ϕ(n2) = 60 e2 = 53 d2 = 17 Eve KNOWS A n1 = 95 e1 = 65 B n2 = 77 e2 = 53 Alice KNOWS A n1 = 95 e1 = 65 d1 = 41 B n2 = 77 e2 = 53 Bob KNOWS A n1 = 95 e1 = 65 B n2 = 77 e2 = 53 d2 = 17 Suppose Alice wants to send the message m = 2 to Bob so that Bob can ensure that it came from Alice. Then Alice computes 241(mod 95). 22 = 4 24 = 16 28 ≡ 66 216 ≡ 81 232 ≡ 6 Hence 241 = 232.28.2 ≡ 6.66.2 ≡ 32. 225 She transmits this message, 32 and when Bob receives this he calculates 3265. 322 ≡ 74 324 ≡ 61 328 ≡ 16 3216 ≡ 66 3232 ≡ 81 3264 ≡ 6 Hence 3265 ≡ 6.32 ≡ 2. If Eve had sent the message, using a wrong encoding number, it would have been decoded as some other number, such as 7. How does Bob know that it wasn’t Eve who sent the message? After all 7 is just as plausible as 2. But remember that, in practice, the messages will be converted as quite large numbers. So a message that had come from Alice might be decrypted by Bob as: PLEASE SEND $1000 TO BANK ACCOUNT 51238. If Eve had sent this, with 51238 as her own account, Bob might decrypt it as: NGDR JU2CDF NK7RC G9KHB LQXZYQ. EXERCISES FOR CHAPTER 11 EXERCISES 11A (Arithmetic Mod m) Ex 11A1: If x = 7 and y = 6, compute x3 + y3 (mod 11). Ex 11A2: Find the inverses of the non-zero elements of ℤ11. Ex 11A3: Which elements of ℤ15 have inverses under multiplication? Ex 11A4: Find the remainder on dividing 1331967 by 31. Ex 11A5: Calculate ϕ(2600). Hence find 31000 in ℤ2600. Ex 11A6: In ℤ1271 find 10371234567. Ex 11A7: Find the remainder on dividing 111603 by 600. Ex 11A8: Find the inverse of 125 modulo 2592. (This obtains the decoding number for user A in example 13.) Ex 11A9: (i) Solve the equation 143x ≡ 1(mod 300). (ii) Find ϕ(78200). EXERCISES 11B (Public Key Cryptography) Ex 11B1: (a) You are a user in a Public Key Cryptographic System based on the RSA system. You wish to send the message 12 to another user whose modulus is 527 and whose encoding number is 113. What is the encoded message that you would send? (b) Factorise 527 into primes (in practical Public Key Systems this would be the “stumbling block”). Use this factorisation to compute the decoding number for the other user. (c) Now use that other user’s decoding number to decode the message sent in part (a). 226 Ex 11B2: Suppose you are setting up a Public Key Cryptographic system, using the RSA algorithm and you choose to use the same modulus 4331 = 61.71 for all users. (This is risky, as we’ve seen in §11.10, even for large primes.) In choosing encoding numbers for the users you’d obviously avoid e = 1. Suppose that encoding numbers that are prime or perfect squares are considered to be unlucky and are avoided. Choose the smallest suitable encoding number for a user and calculate the corresponding decoding number. Ex 11B3: You are Alice Turnbull, a user of a Public Key Cryptographic system and you’ve been issued with this directory of moduli and encoding keys for all users. DIRECTORY USER ....................................... TURING Alan TURNBULL Alice TURTLE Bob ....................................... modulus ….……….. 4343 7259 9301 ….……….. encoding number ……………… 1573 3907 129 ……………… You are also issued with a secret decoding number: TOP SECRET Alice Turnbull: Your Decoding number is 4003. DO NOT REVEAL THIS TO ANYONE (a) You wish to send the message 2195 to Alan Turing. What should you send? (b) You receive the message 157, apparently from Bob Turtle. Decode it. (c) The message includes the information in “plain text” to the effect that it has come from Bob Turtle and, when the main message is decoded it should read 8143. Was it a forgery? Ex 11B4: You are setting up an RSA Public Key coding system and, for subscriber A, you’ve chosen the primes p = 31, q = 83 and the encoding number e = 77. (i) Calculate the corresponding decoding number, d. (ii) Subscriber B wishes to send the message m = 14 to A. What does she send to A? (iii) B receives the message 14 from A, who claims that it is his encoding number encoded by his decoding number (using his modulus). Check whether this message did come from A. Ex 11B5: An RSA Public Key coding system works with modulus 391 which is the product of two primes. A message, represented by the number 20, is sent to someone whose encoding key is 53. (i) What is the corresponding encoded message? (ii) The corresponding decoding key is 93. Use this information to find the two prime factors, p and q, of 391. (iii) Check that ϕ(391) = (p − 1)(q − 1). (iv) Use this to find the decoding number for someone who has an encoding key of 91. 227 Ex 11B6: An RSA Public Key system works with the same modulus, 673627, for all users. It is the product of two primes. A message, represented by the number 3, is sent to someone whose encoding key is 13. (i) What is the corresponding encoded message? (ii) The corresponding decoding key is 103381. Use this information to find the two prime factors, p and q of 673627. (iii) Check that ϕ(673627) = (p − 1)(q − 1). (iv) Use this to find the decoding number for someone else, with an encoding key of 7. Ex 11B7: An RSA Public Key system assigns to a user the modulus 42547, the encoding key 77 and decoding key 41573. Use this information to find the two prime factors of 42547. SOLUTIONS FOR CHAPTER 11 Ex 11A1: 9 Ex 11A2: 1 x -1 1 x 2 6 3 4 4 3 5 9 6 2 7 8 8 7 9 5 10 10 Ex 11A3: 1, 2, 4, 7, 8, 11, 13, 14. Ex 11A4: 17. Ex 11A5: ϕ(2600) = 960; 31000 = 601 Ex 11A6: 872 Ex 11A7: ϕ(600) = ϕ(23.3.52) = 22.2.5.4 = 160. Thus 11160 = 1 in ℤ600. Hence 111603 = 113 = 1331 = 131. Thus the remainder is 131. Ex 11A8: 20 1 1 1 3 125) 2592 92) 125 33) 92 26) 33 7) 26 250 92 66 26 21 92 33 26 7 5 Hence 1 = 5 − 2.2 = 5 − 2(7 − 5) = 3.5 − 2.7 = 3(26 − 3.7) − 2.7 = 3.26 − 11.7 = 3.26 − 11(33 − 26) = 14.26 − 11.33 = 14(92 − 33.2) − 11.33 = 14.92 − 39.33 = 14.92 − 39(125 − 92) = 53.92 − 39.125 = 53(2592 − 125.20) − 39.125 = 53.2592 − 1099.125. Hence 1 ≡ (−1099).125 (mod 2592). The inverse of 125 modulo 2592 is therefore − 1099 ≡ 1493. 228 1 5) 7 5 2 2 2) 5 4 1 Ex 11A9: 300 = 143.2 + 14 143 = 14.10 + 3 14 = 3.4 + 2 3 = 2.1 + 1 ∴1=3−2 = 3 − (14 − 3.4) = 3.5 − 14 = (143 − 14.10).5 − 14 = 143.5 − 14.51 = 143.5 − (300 − 2.143).51 = 143.107 − 300.51 ≡ 143.107 (mod 300). ∴ x ≡ 107(mod 300). (ii) ϕ(78200) = ϕ(23.52.17.23) = 22.5.4.16.22 = 28160. Ex 11B1: (a) Send 12113 (mod 527). Now in ℤ527: 122 = 144; 124 = 20736 = 183; 128 = 33489 = 288; 1216 = 82944 = 205; 1232 = 42025 = 392; 1264 = 153664 = 307; 113 ∴ 12 = 1264.1232.1216.12 = 307.392.205.12 = 120344.2460 = 188.352 = 66176 = 301. So the transmitted message is 301. (b) 527 = 17.31 and so ϕ(527) = 16.30 = 480. Now 480 = 113.4 + 28 and 113 = 28.4 + 1. Hence 1 = 113 − (480 − 113.4).4 = 17.113 − 480.4 and so in ℤ480, 1 = 17.113. Thus the decoding number is 17. CHECK: If we now decode the message 301 using this decoding number we get 30117(mod 527). Using the same method as in (a) we get 12, the original message. Ex 11B2: (a) m = pq = 4331 and ϕ(m) = 60 × 70 = 4200. An encoding number needs to be any number that is coprime with 4200. It therefore must have no factors of 2, 3, 5 or 7. Clearly e = 1 is unsuitable, and we’re told to avoid primes and square values of e. The smallest suitable number is thus e = 11.13 = 143. We now find the inverse of 143 modulo 4331. 4200 = 143.29 + 53 143 = 53.2 + 37 53 = 37 + 16 37 = 16.2 + 5 229 16 = 5.3 + 1 so 1 = 16 − 5.3 = 16 − (37 − 16.2).3 = 16.7 − 37.3 = (53 − 37).7 − 37.3 = 53.7 − 37.10 = 53.7 − (143 − 53.2).10 = 53.27 − 143.10 = (4200 − 143.29).27 − 143.10 = 4200.27 − 143.793. So d = −793 = 3407. Thus e = 143 and d = 3407. Ex 11B3: (a) The encoded message is 21951573 (mod 4343). Now 1573 = 1024 + 512 + 32 + 4 + 1 m We prepare a table of values of 219522 modulo 4343. 1 2 4 8 16 32 m m 2195 1638 3413 643 864 3843 2195 64 2449 128 4261 256 2381 512 1546 1024 1466 So 21951573 = 2195.3413.3843.1546.1466 = 4203.3843.1546.1466 = 512.1546.1466 = 1126.1466 = 376. (b) The decoded message is 1574003 (mod 7259). Now 4003 = 2048 + 1024 + 512 + 256 + 128 + 32 + 2 + 1. 1 2 4 8 16 32 64 m m 157 2872 2160 5322 6325 1276 2160 157 4003 So 157 ≡ 5322.2160.1276.6325.5322.1276.2872.4003 ≡ 4523.5951.3707.5619 ≡ 1.3562 ≡ 3562 128 5322 256 6325 (c) We must calculate 3562129 (mod 9301). m 3562m 1 3562 2 1280 4 1424 8 158 16 6362 32 6393 64 1855 128 8956 3562129 ≡ 8956.3562 ≡ 8143. Hence we assume that it must have genuinely come from Andreas Turtle. Ex 11B4: (i) n = 2573. ϕ(n) = 30.82 = 2460. So we must solve 77d ≡ 1(mod 2460). 2460 = 77.31 + 73 77 = 73.1 + 4 73 = 4.18 + 1 ∴ 1 = 73 − 4.18 230 512 1276 1024 2160 2048 5322 = 73 − (77 − 73).18 = 73.19 − 77.18 = (2460 − 77.31).19 − 77.18 = 2460.19 − 77.607 ≡ − 77.607 (mod 2460) ∴ d ≡ − 607 ≡ 1853 (mod 2460). So the decoding key is 1853. (ii) B sends 14e (mod pq), that is, 1477(mod 2573). 142 ≡ 196 144 ≡ 2394 148 ≡ 1165 1416 ≡ 1254 1432 ≡ 413 1464 ≡ 751 77 = 64 + 8 + 4 + 1 ∴ 1477 ≡ 751.1165.2394.14 ≡ 95.67 ≡ 1219. So B sends A the coded message 1219. (iii) If A had sent his encoding number, coded by his decoding number, then it should have been 77d (mod 2573). That would mean that 77d ≡ 14(mod 2573). Then 7777d ≡ 1477(mod 2573), that is 1477 ≡ 77 (mod 2573). But from (ii) we found that 1477 ≡ 1219, not 77. Therefore either A got it wrong, or more likely, the message came from someone else pretending to be A. Ex 11B5: (i) The encoded message is 2053 (mod 391). 202 ≡ 400 ≡ 9 204 ≡ 81 208 ≡ 305 2016 ≡ 358 2032 ≡ 307 53 = 32 + 16 + 4 + 1 so 53 20 = 307.358.81.20 = 35.56 = 5. So the encoded message is 5. (ii) 53.93 = 4929 ≡ 1(mod ϕ(391)). Hence 4928 = ϕ(391)k for some k. Now ϕ(391) < 391 so k > 4928/391 ≈ 12.60. Try k = 13. Then ϕ(391) = 4928/13 ≈ 379.077. This is impossible. Try k = 14. Then ϕ(391) = 4928/14 = 352. This is probably correct. If p, q are the prime factors of 391 we therefore have pq = 391. Because the numbers are small in this exercise it would be very easy to find p and q but let’s pretend that this is not feasible, as would be the case with 200 digit primes. 231 So pq = 391 and ϕ(391) = (p − 1)(q − 1) = 352. Subtracting, we get p + q − 1 = 39 so p + q = 40. So p, q are the roots o a quadratic where the sum of the roots is 40 and the product is 391. This quadratic equation is x2 − 40x + 391 = 0. 40 ± 36 Solving, we get x = = 17 and 23. 2 (iii) (p − 1)(q − 1) = 16.22 = 352 = ϕ(391). (iv) The decoding number for e = 91 would satisfy 91d ≡ 1 (mod 352). Now 352 = 91.3 + 79 91 = 79.1 + 12 79 = 12.6 + 7 12 = 7.1 + 5 7 = 5.1 + 2 5 = 2.2 + 1 ∴ 1 = 5 − 2.2 = 5 − (7 − 5).2 = 5.3 − 7.2 = (12 − 7).3 − 7.2 = 12.3 − 7.5 = 12.3 − (79 − 12.6).5 = 12.33 − 79.5 = (91 − 79).33 − 79.5 = 91.33 − 79.38 = 91.33 − (352 − 91.3).38 = 91.147 − 352.38 ≡ 91.147 (mod 352). Hence the decoding number is 147. Ex 11B6: (i) 313 = 1594323 ≡ 247069(mod 673627). So the encoded message is 247069. (ii) Let e = 13, d = 103381. Then ed = 1343953 ≡ 1 (mod(p − 1)(q − 1)). Hence (p − 1)(q − 1) divides 134952. We know also that pq = 673627. Since (p − 1)(q − 1) is less than pq but most likely has the same order of magnitude as pq it is likely that 134952 = 2(p − 1)(q − 1), which gives (p − 1)(q − 1) = 671976. Hence pq − p − q + 1 = 671976 which gives p + q = pq + 1 − 671976 = 673627 + 1 − 671976 = 1652. We therefore have p + q = 1652 and pq = 673627. It follows that p, q are solutions to the quadratic equation x2 − 1652x + 673627 = 0. The solutions of this quadratic are the integers 733 and 919. We can check that they are indeed the two factors of 673627. (iii) (p − 1)(q − 1) = 732.918 = 671976. (iv) If now e = 7 then the corresponding decoding key satisfies 7d ≡ 1 (mod 671976). The solution can be easily found to be 479983. 232 Ex 11B7: Let e = 77, d = 41573, n = pq = 42547. Then ed − 1 = 3201120 = kϕ(n) for some integer k. 3201120 3201120 k= > 42547 ≈ 75.23. ϕ(n) Try k = 76: ϕ(n) = 42120. Since this is an integer it is probably the correct value. pq = 42547 (p − 1)(q − 1) = 42120 ∴p + q − 1 = 427 so p + q = 428. Hence p, q are the roots of the quadratic x2 − 428x + 42547. So the prime factors of 42547 are 271, 157. 233 234